Thank you, this does not get discussed enough on HN. I used to look forward to monthly releases of VSCode and actually read the changelog carefully to see what new features/enhancements I could make use of. These days I just glance and ignore it completely -- almost everything is Copilot, MCP blahblah. Such a disappointment.
You would think with all the AI magic, they would deliver more "core editor" features/enhancement. No, just more Copilot.
Man this reminds me of the early days of Edge where MS actually made a good browser for a few months and then stuffed it full of bloatware, ads, a crypto wallet (!) and now AI (not even GOOD AI features).
Do you really miss stuff in VS Code's core editor? I mean, coming to think about it, VS Code feels "feature complete", I haven't found in other editors features that I thought "wish I had this in VS Code". Not to justify the whole changelog being about Copilot (isn't it supposed to be a separate extension anyway?), but I guess it's either that or going for a while without updates, or really small changes you'd probably not notice
There are a ton of things that could be done. The fact that you haven't personally needed more features doesn't mean it's "feature complete". Not even close. You just haven't hit those pain points in your workflow.
May I ask how you feel about editors like vim/neovim or emacs or helix? I find that the best editing experience is one you can easily customize to support your needs, for me that is neovim but for you it could be something outside of VS Code?
Also shocked to learn VS Code is using textmate instead of treesitter.
I "learned" vim and used to spend time on setting up a vim environment. But it took way too much time to customize these things. Plus installing plugins is nowhere as easy as with vscode.
These days I just use vim plugin in VSCode and I'm very happy about the setup.
P.S. I am also an experienced VSCode extension developer. You just get much more exposure with a vscode extension compared to vim -- that's where everybody is. And of course it makes sense for me to dogfood the extension.
When I get fed up with VSCode, I run Emacs and I feel happy until I start working on something else that can be done a little faster on VSCode because of the available extensions.
I feel like we almost need government intervention to keep GitHub an open commons, but I am a Libertarian and I distrust the government perhaps even more than the tech industry - still an open question for me.
Lock in and control by huge corporations is almost always uniformly bad. I have accepted the message of great books like Privacy is Power, The Tech Coup, and Surveillance Capitalism, and I feel pretty good about just using Google’s Gemini APIs when I need them, and lean as hard as possible on open models running on Ollama and LM Studio. There are also little things you can do like not installing apps and using web apps.
GitHub is not, and never has been, an open commons. There has always been a terms of service, and GitHub has been able to remove accounts and repositories at will.
Further, git is made to be decentralized. Having the government take over a business to maintain a centralized source is the peak of absurdity.
I don't object to AI features. I just don't want them to only work on AI features. There are plenty of editor related things that they should still be doing. E.g. the ability to show images in the editor. How neat would that be?
Speaking as an Emacs user: embedded images are cool, but their usefulness is debatable. Makes perfect sense for Emacs given org-mode, Auctex, and because due to Emacs' design it's the only way to include icons and whatnot for non-document purposes, but I doubt it's a useful feature for most code editors outside little error indicator icons and the like.
I can confidently predict that the breakout dev tool in the next few years will have LLM features, but won’t have forgotten stuff like editing features. As Claude Code has already demonstrated, you do t even need an editor for good LLM integration.
> “Just like how Bill [Gates] had this idea of Microsoft being a bunch of software developers building a bunch of software, I want our platform, for any enterprise or any organization, to be able to be the thing they turn into their own agent factory,” said Parikh [the CoreAI team lead].
That Bill Gates analogy seems rather far-fetched, though.
The quote actually appears to be recited from an earlier Verge article [0]:
> Parikh, who transformed Facebook engineering teams, now leads a transformation that he describes as building an AI “agent factory” for Microsoft’s customers.
> ”I described this agent factory idea to Bill [Gates], not knowing that he and Paul [Allen] described Microsoft 50 years ago as the software factory,” Parikh says. “Just like how Bill had this idea of Microsoft being a bunch of software developers building a bunch of software, I want our platform, for any enterprise or any organization, to be able to be the thing they turn into their own agent factory.”
It means that Microsoft used to be a software company and it is now supposed to become a software factory company, meaning that it produces factories (=agents) that produce software. That seems like a good goal to have for them.
It was the American CEO Tim Cook which spent some $250 billion investing in training in China, which is more than the Marshall plan (inflation adjusted) or the CHIPS act, for outsourcing the factories to China in which their products get produced.
Let's think about MicroSoft back in the 90s. There are no agent factories, whatever they are, but non-programmers are using Visual Basic, Excel, and Access to write their own software. Maybe throw in some ASP as well. (What if ClippyGPT had been available back in the day?) So thinking about that, if you ignore the buzzwords and squint, it kind of looks familiar.
Of course, none of this has anything to do with GitHub. Will they ~~agentify~~ enshittify Visual Source Safe as well?
I just switched from Github to Gitlab. For anyone who is interested in doing the same, but doubtful because of the effort required: Gitlab has a pretty good migration tool. You authenticate against your github account and gitlab will import all your repos for you. We've been using gitlab at work for a bit and the CI/CD took a little getting used to but I'm overall happy with Gitlab.
Some people think a github presence is important for their personal portfolios/careers, but I've personally never seen any evidence that a recruiter or anyone has ever actually looked at my github profile. Plus I can just put gitlab on there instead now
It's not that simple; their CI workflow architectures are completely different. The way projects and permissions work are completely different. The entire way GitLab organizes the taxonomy is different.
Oh sure for an organization with lots of ci/cd its a big deal. But for individuals who mostly just use github as a code repository for personal projects and dont have a ton of deployments, its real easy
I have worked for companies using GitLab and I really liked it. I need to have just about a dozen of my repos that kind of have to be on GitHub because of integrations with third parties, but most would live fine on GitLab.
EDIT: just looked, GitLab seems caught up in AI agent hype also, and have their prices gone up?
How do you mean? I dont hold it against a company just for having an AI offering. The thing with github/Microsoft is theyre really forcing it down your throat. Github copilot is now a default UI element in Visual Studio and every time I open it up they say "use github copilot, its free!". Every update to visual studio is all about their AI crap now and legit IDE features are always listed at the end
Plus github has also been trying to be a social media sites for a while, too, which I never really apprecisted. The only reason I ever used github in the first place, as a personal user, was because its what everyone else uses on their resume. But I no longer put personal projects on my resume so I dont see the point in using github anymore. We use gitlab at work and it works great.
Though the other providers look good, too. Im not trying to denigrate them. Codeberg, however, looks like it requires a subscription fee, and im just not using enough features of my git provider to justify paying for it
We could barely convince the reviewers on the last review that using GitHub is okay as long as we take some extra steps, I guess we should prepare to switch to a different platform with the next review.
Security audits are just theater. If they were not, you could not ever convince them that using a platform feeding unlicensed source (including apparently from private repositories) to their commercial LLM is ever a pass.
Absolute theater. They do nothing to validate that you are compliant with whatever ISO cert you're pursuing. They make you install a root cert on your macbook and they say that's good enough to ensure compliance. You just attest that you don't do stupid shit like committing directly to master or testing in production and they believe you
> compliant with whatever ISO cert you're pursuing
ISO cert compatibility audits are very different from a proper security audit.
And weather they do anything to check if depends on which you high, many of the slightly more expensive ones have the reputation to be "fast" and "overlook most issues".
But that doesn't apply to all security audits (but most audits for ISO compatibility, like really it's bad).
Anyway see my way to long answer about the on a sibling comment.
I'm certain there are good firms out there which will actually give you a legit audit and make recommendations. But if the client is not actually interested in security, there will always be unscrupulous firms who will essentially sell you an ISO cert for no effort required. In my experience, most medium to small sized companies place little value in security
It really depends on you auditor, audit approach and goals.
There are many audit companies which have a "under the hand" reputation of not properly looking and being easy to convince that you are secure, naturally at a above average audit cost (same but worse btw. for certificates showing compatibility with industry standards).
So if the audit was paid for by the company themself you can't trust it at all (which doesn't mean the company wanted to hide anything, this "bad" audit companies also tend finish the audit fast. So sometimes companies go for it, even if they don't have anything to hide).
Similar sometimes audit companies ask if they can audit you, this is for boosting their publicity using your name. This can easily turn into a "one hand washes the other" situation where they won't overlook massive issues, but still judge issues leniently.
Lastly there are some automated partial audit services which scan you public APIs/websites etc. Realistically they tend to be kinda dump, and might tell you they find a medium issue because (no joke) your REST API allows PUT and DELETE (1). Still I now take them a bit more serious after they pointed out, that there was a configuration error of a web gateway leading to some missing security headers.
(1: There is some history behind that, it's still dump for 90% of REST APIs)
Anyway, the situations so far are security audits which are at least 50% theater. BUT if a huge customers fully pays a audit company with a good/strict reputation then it often really isn't a security theater and can be quite a bad surprise if you company isn't prepared (because you have to fix so much). Like such reviews tend to not only be focused at your deployment or code but the whole software live cycle, including fun questions like "what measurements have you taken in case one of your developers tries to inject a supply chain attack" (which to be clear don't need to have perfect answers, just good enough, and most importantly clear and well documented).
(The link I posted is also not the proper ToS, it is more of an abridged version. They made the actual ToS somewhat hard to find and I cannot be bothered.)
the terms of service links to the privacy policy to explain how private repos are treated, the privacy policy is equally binding. from your link:
> Short version: We treat the content of private repositories as confidential, and we only access it as described in our Privacy Statement—for security purposes, to assist the repository owner with a support matter, to maintain the integrity of the Service, to comply with our legal obligations, if we have reason to believe the contents are in violation of the law, or with your consent.
I think it is safe to assume that more generous (for them) interpretation is the one that will be used by any big company. My link:
> You grant us and our legal successors the right to store, archive, parse, and display Your Content, and make incidental copies, as necessary to provide the Service, including improving the Service over time.
> parse it into a search index or otherwise analyze it on our servers
This is an “AI” platform now. “Improving the service” means that. “With your consent” means you have accepted the ToS (which by the way can be changed at any point and your continued use of the service means you consent to it).
we are EU based and have besides other attorney customers.
Cloud Act and more then just one or two cases of the US engaging in industry espionage against their allies(1) makes it a high legal liability to use more or less any service from a US company even if it's in the EU and a EU daughter company
On GitHub we only have some code, which always anyway goes through additional testing and analysis before hitting production, this is why it's barely okay. No code from GitHub directly goes to production.
The only reason we ever where on GitHub is because we didn't always had sensitive customers and switching CI over is always a pain.
So I don't know if imply them being incompetent for allowing GitHub or for wanting to not allow it, but both point have very good reasons.
(1): And I mean cases before Trump, the US (as in top government, not people) was always a highly egoistic, egocentric ally which never hesitated to screw over their allays when it came to economical benefits. The main difference is that in the past the US cared (quite a bit) about upholding a image of "traditional" values like honesty, integrity and reliability. Especially when it would affect their trade routes.
When all public code including GPL and AGPL has been stolen and plagiarized already and the fabled artificial intelligence is nowhere to be seen, stealing all the private and proprietary code will surely make all the difference.
It probably won't but reselling the code to its owners is still good business. Convince people that statistical models of copyrighted work (which can reproduce said copyrighted work both verbatim or disguised) are A"I" and sadly, somehow, most people seem OK with it.
it seems like anyone continuing to use github is ok with providing free labor to Microsoft. Not that that wasn't the case already, but now it seems especially blatant. "open source" is just corporate welfare at this point.
